Friday, August 28, 2009

Some of these cases will be due to Eircom's own incompetence in issuing up to 250,000 wireless routers with easily guessable passwords - which will result in some people piggybacking on Eircom users' connnections. But there is a wider problem, in that the investigators used by the music industry have a track record of making false copyright infringement claims.

In that study, the researchers document receiving 487 notices under the DMCA: all wrongfully alleging that files were being illegally shared over BitTorrent. Among the alleged culprits were three laserjet printers which between them were accused on nine separate occasions of downloading movies. (Bad printers! No toner for you tonight.)

Practically any Internet user can be framed for copyright infringement today.By profiling copyright enforcement in the popular BitTorrent file sharing system, we were able to generate hundreds of real DMCA takedown notices for computers at the University of Washington that never downloaded nor shared any content whatsoever.

Further, we were able to remotely generate complaints for nonsense devices including several printers and a (non-NAT) wireless access point. Our results demonstrate several simple techniques that a malicious user could use to frame arbitrary network endpoints.

Even without being explicitly framed, innocent users may still receive complaints.Because of the inconclusive techniques used to identify infringing BitTorrent users, users may receive DMCA complaints even if they have not been explicitly framed by a malicious user and even if they have never used P2P software!

In light of these findings, I wonder how reliable the evidence presented by the music industry to Eircom will be, and whether the flaws identified in this study will be addressed. So far, all we have to go on are leaked details of a draft protocol between Eircom and the music industry on the information to be provided with each accusation.

Those details are, however, too vague at this stage to be useful.

For example, the draft apparently provides that "the information which will be provided by the record companies will be of the same type as that used in the three previous disclosure actions in the Irish High Court". What precisely does this mean? Similarly, the protocol appears to require the music industry to provide "the digital fingerprint/hash for copyright material detected". Does this mean that before a complaint can be made, the investigators must download the entire file allegedly shared by the user? There is also apparently provision for "reputable annual independent certification that the necessary ... I.T. ... controls relating to the obtaining, generating and processing of data by Detecnet ... have been complied with". Will this require certification that the types of problems identified by the University of Washington and others have been solved? In fairness to Eircom, it does appear that it has made some efforts to include elements in the agreement which might meet some of these problems. But without more detail on the agreement it's impossible to be confident that innocent users (or printers!) will not be wrongly accused.

Tuesday, August 25, 2009

Eircom's block of The Pirate Bay comes into force on September 1st. With that in mind it might be worth examining precisely what Eircom is obliged to do. The relevant portion of the court order (to which Eircom consented) is the following:

IT IS ORDERED

(1) Pursuant to Section 40(4) of the Copyright and Related Rights Act, 2000 that the Defendant do block or otherwise disable access by its subscribers to the Website ThePirateBay.org and related domain names IP addresses and URLs listed in the Schedule attached hereto together with such other domain names IP addresses and URLs as may reasonably be notified as related domain names by the Plaintiffs to the Defendant from time to time...

Schedule

The Pirate Bay main site

Thepiratebay.org main site is hosted on a server with IP address 192.121.86.15

Astute readers might have guessed that the list of IP addresses would rapidly go out of date and checking today that seems to be the case. This might be related to the fact that earlier today TPB upped and moved servers in response to the Swedish authorities ordering their connectivity provider to disconnect them from the internet.

Whatever the reason, this highlights one problem with the order - there's no provision for the possibility that an IP address or domain name initially associated with TPB later comes to be associated with a different and innocent site. I'm told (by someone who should know) that this is unlikely at least in the short term in the case of TPB - but that's no excuse for an order which doesn't even consider this risk, much less provide for any safeguard.

Of course, the order doesn't specify the methods to be used by Eircom to "block or otherwise disable access by its subscribers to the Website ThePirateBay.org and related domain names IP addresses and URLs". Any thoughts on what these might be and their possible pitfalls?

Friday, August 21, 2009

As I prepare my course materials for the new course in Digital Investigations and the Law I find myself revisiting cases which I intended to blog when they were initially decided but which never made it to the screen. Here's an interesting one from 2005 which discusses when a court will compel computer forensics experts to reveal their proprietary methods, and which raises some interesting questions about whether such methods are compatible with the general approach of the courts towards expert witnesses.

In Mulcahy v Avoca Capital Holdings [2005] IEHC 136 (full text not available but summarised here) the plaintiff was the subject of disciplinary procedures by his employer including allegations of "improper dealing with the e-mail inboxes of senior members of staff and ... improper dealing with the company's IT systems". He brought an action in the High Court seeking to stop the disciplinary process.

In order to deal with the allegations against him, the plaintiff sought to have his computer forensics experts examine certain computers belonging to the employer. Access was granted by the court, but a dispute arose as to whether the plaintiff's experts would be entitled to keep secret their proprietary methods for carrying out the examination.

Significantly, Clarke J. held that while a court would not unnecessarily require an expert to reveal confidential methods, by acting as an expert witness a person exposed their methodology to scrutiny in court and fair procedures demanded that the other party be able to assess and challenge that approach in appropriate cases.

The relevant passage is worth quoting in full as the judgment doesn't seem to be freely available online:

The final point I would like to comment on is the argument put forward in evidence on behalf of Grant Thornton [acting for the plaintiff], which amounted to a plea for the protection of their proprietary methods. A court must always, in circumstances such as this, be concerned not to expose experts to any unnecessary exposure of the benefits of their craft, as it were, but it does have to be said that a person who presents themselves as willing to act as an expert in proceedings necessarily exposes their methods to investigation in court. Just to put it at its mildest, if Grant Thornton and Ritz [acting for the defendant]were to give evidence in a trial which conflicted as to their findings, the only way the court could resolve that conflict would be by investigating their methods and forming a view as to which method is better. So it seems to me, as a matter of principle and a matter of practice in this case, an expert just cannot stand on ceremony in that way; by being available to give forensic evidence in proceedings and expert is potentially exposing his methods to detailed investigation. He cannot say, "I am going to give evidence but I am not going to tell people how I carried out my inquiries." While a court should not make any directions that would unnecessarily expose the skills of an expert, it nonetheless seems to me that there is a limit to the extent to which those methods can be protected and, therefore, on the facts of this case I would not place any significant weight on that concern on their part. (Emphasis added.)

This decision is in one sense unsurprising: past decisions such as State (D&D) v. Groarke [1990] 1 IR 305 have shown a judicial willingness to look behind an expert's opinion to the procedure on which it is based.

But perhaps the most interesting aspect of this case, as compared with the use of other expert witnesses such as doctors or engineers, is the tacit assumption that computer forensics experts will be using methods which are confidential to them or home-grown.

Perhaps in the relatively early years of computer forensics as a discipline this assumption might have been justified - though today it's beginning to look increasingly shaky with the move towards open source forensics tools as well as commercial products such as EnCase. Nevertheless it raises an interesting question - should the courts accept expert testimony when the underlying tools or methods have not been the subject of peer review to ensure their reliability?

Although the Irish courts have yet to adopt an approach similar to the US Daubert standard, there has been at least one recent judgment in which "expert" testimony has been rejected where it hasn't been shown to have a "properly established scientific provenance" or "the requisite degree of expert peer approval". (See DPP v. Michael Joseph Kelly (2008) in relation to the controversial CUSUM technique for determining the author of a document.) In light of this decision, one wonders how the Irish courts might evaluate the use of proprietary computer forensics tools today.

Wednesday, August 19, 2009

In the latest twist in the Irish filesharing wars, it's emerged today that Eircom will start blocking access to The Pirate Bay from the first of September, while UPC has rejected music industry demands that it do so also. (The Irish Times | RTE). So what's going on?

First - the Eircom situation. When Eircom settled the case brought against it by the music industry it agreed - in addition to implementing a three strikes system against its users - not to oppose any application to the court to block access to The Pirate Bay. The predictable result was that an unopposed application would be granted without any real judicial scrutiny - and this has now happened. On the 24th of July, on the consent of Eircom, Mr. Justice Charleton in the High Court granted an order requiring it to:

block or otherwise disable access by its subscribers to the website thePirateBay.org and related domain names, IP addresses and URLs ... together with such other domain names, IP addresses and URLs as may reasonably be notified as related domain names by [the music company plaintiffs] to [eircom] from time to time.

That order requires Eircom to put such a block in place from the start of September (and, remarkably, to block additional sites designated by the plaintiffs as "related" - something presumably designed to avoid evasion but which may be prone to abuse). Crucially, however, Mr. Justice Charleton stressed that he had only heard one side, and that consequently any decision he made was on the basis of one side putting forward an unopposed application - expressly noting that had the matter being argued, a different conclusion might have been reached by a different court. In short, the order has no precedential value.

Despite this, however, the music industry appears to have been emboldened by the order, which takes us on to the UPC situation. It seems that the plaintiffs then wrote to UPC demanding that it also block The Pirate Bay, lest customers "migrate" from Eircom, and threatening immediate proceedings unless it blocked access also. UPC - which is already being sued by the music industry in separate proceedings essentially demanding it implement "three strikes" - has rejected this demand, and indicated that it will vigorously defend any additional action also.

The current state of play raises some interesting questions. For example: Will users begin to migrate from Eircom? Is it appropriate for a court - even on consent - to make an order which will have the effect of blocking user access to a great deal of legitimate content? (While the percentage of legal torrents on The Pirate Bay might be contested, there's no doubt but that it indexes a great deal of legitimate content.) Should such an order allow plaintiffs to (apparently unilaterally) determine which sites are "related" and require those to be blocked also? Why have Eircom been so shy about revealing the existence of the blocking? Expect these, and other issues to come to the fore over the next few days.

Friday, August 14, 2009

In a previous post I pointed out the remarkable lack of transparency in the oversight of surveillance in Ireland. This has become all the more worrying since July when the remit of this oversight system was extended (by the Criminal Justice (Surveillance) Act 2009) beyond telephone tapping and data retention to include also the planting of covert audio bugs, video cameras and gps trackers. In effect, the Designated Judge has now been given (by ad hoc extensions of his role) oversight of most forms of surveillance - with public accountability in respect of this oversight remaining limited to a single page annual report.

Two recently published documents from the UK illustrate a better model of oversight.

The first is the 2008 Report of the Interception of Communications Commissioner. The primary role of this official - a retired judge - is similar to that of the Irish Designated Judge in relation to interceptions and data retention. Unlike our uninformative annual report, however, the Interception Commissioner gives much more detail in relation to his work. Here are some examples:

In short, I meet officers in the agencies undertaking interception work and officials in the departments of the Secretaries of State/Ministers which issue the warrants. Prior to each visit, I obtain a complete list of warrants issued or renewed or cancelled since my previous visit. I then select, largely at random, a sample of warrants for inspection. These include both warrants and attendant certificates. In the course of my visit I satisfy myself that those warrants fully meet the criteria of RIPA, that proper procedures have been followed and that the relevant safeguards and Codes of Practice have been followed. During each visit I review each of the files and the supporting documents and discuss the cases with the officers concerned. I can, if I need to, view the product of interception. It is of paramount importance to ensure that the facts justified the use of interception in each case and that those concerned with interception fully understand the safeguards and the Codes of Practice...

During 2008, I visited a total of nine communication service providers (CSPs) and internet service providers (ISPs) consisting of the Royal Mail and the communications companies who are most engaged in interception work. These visits, mostly outside London, are not formal inspections but are designed to enable me to meet both senior staff in each company as well as the personnel who carry out the work on the ground, and for them to meet and talk to me. I have no doubt that the staff in the CSPs and ISPs welcome these visits. We discussed the work that they do, the safeguards that are in place, any errors that have occurred, any legal or other issues which are of concern to them, and their relationships with the intercepting agencies...

Fifty errors and breaches [in relation to interceptions] have been reported to me during the course of 2008. This is a marked increase when compared with the total of 24 errors and breaches reported in my last Annual Report. I consider the number of errors to be too high. By way of example, details of some of these errors are recorded below...

That report gives a similar level of detail in relation to communications data issues. Here's an example:

the police took swift action when information from a reliable source suggested that a number of very young children were at immediate risk of falling into the hands of a paedophile ring. Subscriber information relating to an Internet Protocol (IP) Address was obtained in order to locate an address for the children but unfortunately it would appear this was not correct. The police entered the address and arrested a person who was completely innocent and further enquiries are continuing. This was a very unfortunate error and the whole process of obtaining data relating to IP addresses has been re-examined. In this case there was confusion between the Internet Service Provider and the public authority over how the data should be interpreted, particularly in relation to the critical international time zones. Better checks and balances have been put in place to help clarify the process, which includes liaison with the SPoC trainers and these should help to prevent similar errors in the future.

The second recent document from the UK is the Report of the Chief Surveillance Commissioner for 2008/2009. This report covers some of the same areas where the Designated Judge now has responsibilities, particularly in relation to the planting of covert bugs and video surveillance. Again the level of review is quite detailed:

Common causes of errorThe areas that have received the most criticism on inspection – and this applies equally to all types of public authority – in this reporting period are:(a) a continuing failure on the part of Authorising Officers properly to demonstrate that less intrusive methods have been considered and why they have been discounted in favour of the tactic selected;(b) the continuing preference to interpret private information as limited to biographical data rather than recognise the wider meaning decided by the European Court of Human Rights. A specific act of surveillance may not be intrusive but a combination of acts may enable the construction of a profile; this requires careful consideration when judging whether an individual’s private life is subject to interference;(c) the failure of Authorising Officers, when cancelling authorisations, to give directions for the management and storage of the product of the surveillance;(d) the continuing confusion with regard to the need for authorisation when surveillance equipment (such as CCTV) is focused on an individual in a public place. It is not where the CCTV is placed (which may be overt or covert) but the manner in which the camera is used that is determinative of whether the surveillance is covert;(e) Authorising Officers not knowing the capability of the surveillance equipment which they are authorising. For instance, there are differences between video cameras that record continuously and those activated by motion; and between thermal image and infra-red capability. These differences may have an important bearing on how a surveillance operation is conducted and the breadth of the authorisation being granted. Therefore, a simple authorisation for ‘cameras’ is usually insufficient;(f) poor internal audit by senior management. The Central Record of Authorisations is often in a form not conducive to quick review or status check. Sometimes it is apparent that there has been no meaningful internal audit between OSC inspections; and(g) those conducting covert surveillance basing their activity on what was requested rather than on what was specifically authorised. R v Sutherland underpins the importance of briefing those conducting the surveillance beforehand on the specific authorisation.

The significance of these reports lies not so much in the specifics, but in the fact that they illustrate a more effective form of regulating surveillance. The Irish model - in which oversight is minimal and given as a part-time duty to a busy judge - seems increasingly unsustainable in comparison.

Friday, August 07, 2009

I've just stumbled on a document on scribd which purports to be a "Briefing Note on arrangement between Eircom and the Irish Recorded Music Association (IRMA) with regard to Copyright Infringement" dating from March. While there's no indication as to who posted the document or whether it is authentic, it certainly appears to be genuine and to reflect Eircom's position. There are some very interesting details in the document as to how Eircom proposes to implement "three strikes" and here's an excerpt:

Under the draft protocol, the notification shall include the following information (at a minimum): * details of copyright holder (name and address);* why the notification is being sent (i.e. setting out the breach of copyright);* the actual copyright work that has been infringed (information on copyright material, for example artist, song, title and album title);* the IP address;* the time stamp of when the investigation was initiated;* the time stamp of when the investigation was completed, the peer to peer application/software used by the customer;* and, the digital fingerprint/hash for copyright material detected;

The last item, the digital fingerprint/hash of the copyright material detected, allows eircom to verify that the copyright work identified by the record companies is in fact owned by them.

In addition, the information which will be provided by the record companies will be of the same type as that used in the three previous disclosure actions in the Irish High Court involving the parties and eircom will not act upon a notification from the record companies that does not contain the information set out above.

eircom has also requested that the record companies provide independent certification that the notification has been lawfully obtained by and on behalf of the record companies.

The record companies are also to provide reputable annual independent certification that the necessary legal, I.T., entity level and regulatory controls relating to the obtaining, generating and processing of data by Detecnet (or any other supplier engaged by the record companies) have been complied with.

Thursday, August 06, 2009

The EFF have published an excellent short report on locational privacy (pdf) which highlights the threats posed by data retention and other technological developments. Here's an excerpt:

What is locational privacy?Locational privacy (also known as “location privacy”) is the ability of an individual to move in public space with the expectation that under normal circumstances their location will not be systematically and secretly recorded for later use. The systems discussed above have the potential to strip away locational privacy from individuals, making it possible for others to ask (and answer) the following sorts of questions by consulting the location databases:

• Did you go to an anti-war rally on Tuesday?• A small meeting to plan the rally the week before?• At the house of one “Bob Jackson”?• Did you walk into an abortion clinic?• Did you see an AIDS counselor?• Have you been checking into a motel at lunchtimes?• Why was your secretary with you?• Did you skip lunch to pitch a new invention to a VC? Which one?• Were you the person who anonymously tipped off safety regulators about the rusty machines?• Did you and your VP for sales meet with ACME Ltd on Monday?• Which church do you attend? Which mosque? Which gay bars?• Who is my ex-girlfriend going to dinner with?

Of course, when you leave your home you sacrifice some privacy. Someone might see you enter the clinic on Market Street, or notice that you and your secretary left the Hilton Gardens Inn together. Furthermore, in the world of ten years ago, all of this information could be obtained by people who didn’t like you or didn’t trust you.

But obtaining this information used to be expensive. Your enemies could hire a guy in a trenchcoat to follow you around, but they had to pay him. Moreover, it was hard to keep the surveillance secret — you had a good chance of noticing your tail ducking into an alley.

In the world of today and tomorrow, this information is quietly collected by ubiquitous devices and applications, and available for analysis to many parties who can query, buy or subpoena it. Or pay a hacker to steal a copy of everyone’s location history.

It is this transformation to a regime in which information about your location is collected pervasively, silently, and cheaply that we’re worried about.